Parsons v. Kimpton Hotel & Restaurant Group, LLC
Filing
44
ORDER by Judge Chhabria granting in part and denying in part #36 Motion to Dismiss. (vclc1S, COURT STAFF) (Filed on 4/13/2017)
UNITED STATES DISTRICT COURT
NORTHERN DISTRICT OF CALIFORNIA
LEE WALTERS,
Case No. 16-cv-05387-VC
Plaintiff,
v.
KIMPTON HOTEL & RESTAURANT
GROUP, LLC,
ORDER GRANTING IN PART AND
DENYING IN PART THE MOTION TO
DISMISS
Re: Dkt. No. 36
Defendant.
The motion to dismiss is granted in part and denied in part.
1. Kimpton's motion to dismiss the complaint for lack of standing is denied.
As an initial matter, the Court agrees with Kimpton that the allegations about Walters's
December 28, 2015 hotel stay do not support standing. This stay occurred several months prior
to the date the malware attack allegedly began, and Walters offers no allegations to show how
the breach could have placed at risk the data associated with the payment card that Walters used
during that stay.
The May 29th visit, on the other hand, fell during the alleged "at-risk" window. Walters
alleged that, from February 16, 2016 until July 7, 2016, hackers used malware to access Kimpton
computer systems and steal copies of customer data. It is plausible to infer from the complaint
that Walters's information was among the payment card information stolen. The theft of
Walters's payment card data and the time and effort he has expended to monitor his credit are
sufficient to demonstrate injury for standing purposes. See Lewert v. P.F. Chang's China Bistro,
819 F.3d 963, 965, 967-68 (7th Cir. 2016). Unlike the plaintiffs in Clapper v. Amnesty Int'l USA,
whose fears that the Government would monitor and intercept their communications were
insufficient to demonstrate "certainly impending" injury, Walters plausibly alleged that his data
has already been stolen and that it was taken in a manner that suggests it will be misused. 133 S.
Ct. 1138, 1151 (2013); see Galaria v. Nationwide Mut. Ins. Co., 663 Fed. App'x 384, 388 (6th
Cir. 2016) ("There is no need for speculation where Plaintiffs allege that their data has already
been stolen and is now in the hands of ill-intentioned criminals.").
Kimpton points to several district court cases holding that the theft of payment card data,
coupled with evidence of a single or just a few unauthorized charges, is insufficient to confer
standing. See Dugas v. Starwood Hotels & Resorts Worldwide, Inc., No. 16-cv-00014, 2016 WL
6523428, at *5 (S.D. Cal. Nov. 3, 2016); Torres v. Wendy's Co., 195 F. Supp. 3d 1278, 1284-85
(M.D. Fla. 2016); In re SuperValu, Inc., No. 14-md-02586, 2016 WL 81792, at *5 (D. Minn. Jan.
7, 2016). The Court respectfully disagrees that a plaintiff must actually suffer the misuse of his
data or an unauthorized charge before he has an injury for standing purposes. See Lewert, 819
F.3d at 967-68 (concluding that time and effort spent monitoring card statements and financial
accounts were sufficient to confer standing to Lewert even though he had not yet experienced
unauthorized charges); see also In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1215
(N.D. Cal. 2014) ("[T]o require Plaintiffs to wait until they actually suffer identity theft or credit
card fraud in order to have standing would run counter to the well-established principle that harm
need not have already occurred or be 'literally certain' in order to constitute injury-in-fact.").
2. The motion to dismiss the implied contract claim is denied.
Walters plausibly alleged the existence of an implied contract arising from Kimpton's
privacy policy, which states that Kimpton is "committed" to safeguarding customer privacy and
personal information.1 To the extent this commitment creates an enforceable promise, the
promise is a voluntary duty not imposed by law and constitutes valid consideration. See Janda v.
Madera Cmty. Hosp., 16 F. Supp. 2d 1181, 1188 (E.D. Cal. 1998). Walters sufficiently alleged
1
Although Walters does not discuss the privacy policy under the "Breach of Implied Contract"
heading, the discussion of the privacy policy elsewhere in the complaint is adequate to put
Kimpton on notice of the basis for Walters's claim.
2
"actual damages" flowing from the alleged breach, including having to "secure and maintain"
credit monitoring services (which presumably come at a cost) and other "out-of-pocket expenses
and the value of . . . time reasonably incurred to remedy or mitigate" the breach. See In re
Anthem, Inc. Data Breach Litig., No. 15-md-02617, 2016 WL 3029783, at *16 (N.D. Cal. May
27, 2016); see also Lewert, 819 F.3d at 967-68.
3. The motion to dismiss the negligence claim is denied.
For the reasons discussed above, Walters has alleged actual damages. With respect to
Kimpton's argument that the economic loss rule bars this claim, the Court lacks sufficient
information to rule on this claim at the motion to dismiss stage.
4. The motion to dismiss the UCL claims is denied in part and granted in part.
For the reasons stated above, Walters has alleged economic injury resulting from the
breach. Accordingly, the motion to dismiss the UCL claims for unfair and unlawful business
practices is denied.
However, Walters fails to plead that he actually relied on Kimpton's alleged
misrepresentations, as he was required to do to state a UCL claim based on fraud. See Kwikset
Corp. v. Superior Court, 51 Cal. 4th 310, 326 & n.9 (2011). The fraud claim will be dismissed
with prejudice because Kimpton put Walters on notice of this defect in its first motion to dismiss,
and, when given the opportunity to amend his complaint rather than respond to the motion,
Walters failed to correct the defect.
IT IS SO ORDERED.
Dated: April 13, 2017
______________________________________
VINCE CHHABRIA
United States District Judge
3
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?